4 files changed, 88 insertions, 12 deletions

diff --git a/RELNOTES b/RELNOTES
index d25230227..90164fb20 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -31,6 +31,7 @@ firejail (0.9.46-rc1) baseline; urgency=low
   * feature: disabled Go, Rust, and OpenSSL in disable-devel.conf
   * feature: support overlay, overlay-named and overlay-tmpfs in profile files
   * feature: allow PulseAudio sockets in --private-tmp
+  * feature: --fix-sound support in firecfg
   * new profiles: xiphos, Tor Browser Bundle, display (imagemagick), Wire,
   * new profiles: mumble, zoom, Guayadeque, qemu, keypass2, xed, pluma,
   * new profiles: Cryptocat, Bless, Gnome 2048, Gnome Calculator,
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index c8af9d03a..af5ebef98 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -34,6 +34,7 @@
 
 #include "../include/common.h"
 static int arg_debug = 0;
+#define MAX_BUF 1024
 
 static void usage(void) {
         printf("firecfg - version %s\n\n", VERSION);
@@ -46,6 +47,7 @@ static void usage(void) {
         printf("Usage: firecfg [OPTIONS]\n\n");
         printf("   --clean - remove all firejail symbolic links.\n\n");
         printf("   --debug - print debug messages.\n\n");
+        printf("   --fix-sound - create ~/.config/pulse/client.conf file.\n\n");
         printf("   --help, -? - this help screen.\n\n");
         printf("   --list - list all firejail symbolic links.\n\n");
         printf("   --version - print program version and exit.\n\n");
@@ -67,6 +69,49 @@ static void usage(void) {
         printf("Homepage: http://firejail.wordpress.com\n\n");
 }
 
+static void sound(void) {
+        struct passwd *pw = getpwuid(getuid());
+        if (!pw) {
+                goto errexit;
+        }
+        char *home = pw->pw_dir;
+        if (!home) {
+                goto errexit;
+        }
+        
+        // the input file is /etc/pulse/client.conf
+        FILE *fpin = fopen("/etc/pulse/client.conf", "r");
+        if (!fpin) {
+                fprintf(stderr, "PulseAudio is not available on this platform, there is nothing to fix...\n");
+                return;
+        }
+
+        // the dest is PulseAudio user config file
+        char *fname;
+        if (asprintf(&fname, "%s/.config/pulse/client.conf", home) == -1)
+                errExit("asprintf");
+        FILE *fpout = fopen(fname, "w");
+        free(fname);
+        if (!fpout)
+                goto errexit;
+                
+        // copy default config
+        char buf[MAX_BUF];
+        while (fgets(buf, MAX_BUF, fpin))
+                fputs(buf, fpout);
+        
+        // disable shm
+        fprintf(fpout, "\nenable-shm = no\n");
+        fclose(fpin);
+        fclose(fpout);
+        printf("PulseAudio configured, please logout and login back again\n");
+        return; 
+
+errexit:
+        fprintf(stderr, "Error: cannot configure sound file\n");
+        exit(1);
+}
+
 // return 1 if the program is found
 static int find(const char *program, const char *directory) {
         int retval = 0;
@@ -231,7 +276,6 @@ static void set_file(const char *name, const char *firejail_exec) {
         free(fname);
 }
 
-#define MAX_BUF 1024
 static void set_links(void) {
         char *cfgfile;
         if (asprintf(&cfgfile, "%s/firejail/firecfg.config", LIBDIR) == -1)
@@ -504,6 +548,10 @@ int main(int argc, char **argv) {
                         list();
                         return 0;
                 }
+                else if (strcmp(argv[i], "--fix-sound") == 0) {
+                        sound();
+                        return 0;
+                }
                 else {
                         fprintf(stderr, "Error: invalid command line option\n");
                         usage();
@@ -513,8 +561,9 @@ int main(int argc, char **argv) {
         
         // set symlinks in /usr/local/bin
         if (getuid() != 0) {
-                fprintf(stderr, "Error: you need to be root to run this command\n");
-                exit(1);
+                fprintf(stderr, "Error: cannot set the symbolic links in /usr/local/bin\n");
+                fprintf(stderr, "The proper way to run this command is \"sudo firecfg\".\n");
+                return 1;
         }
         set_links();
 
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index 369c3a7e0..979d4fc06 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -1,24 +1,50 @@
 .TH FIRECFG 1 "MONTH YEAR" "VERSION" "firecfg man page"
 .SH NAME
-Firecfg \- Desktop configuration program for Firejail software.
+Firecfg \- Desktop integration utility for Firejail software.
 .SH SYNOPSIS
 firecfg [OPTIONS]
 .SH DESCRIPTION
-Firecfg is the desktop configuration utility for Firejail software. The utility
-creates several symbolic links to firejail executable in /usr/local/bin.
+Firecfg is the desktop integration utility for Firejail sandbox. 
+It allows the user to sandbox applications automatically by
+clicking on desktop manager icons and menus.
 
-Firecfg also checks .desktop files in /usr/share/applications/, 
-replaces the full path by program name, and writes the  result to $HOME/.local/share/applications/.
-This allows the user to sandbox applications automatically, just by clicking on regular desktop
-menus and icons.
+The integration covers:
+.br
+.PP
+.RS
+- programs started in a terminal - typing "firefox" would be enough to start a sandboxed Firefox browser
+.br
 
-For more information, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.
+.br
+- programs started by clicking on desktop manager menus - all major desktop managers are supported
+.br
+
+.br
+- programs started by clicking on file icons in file manager - only Cinnamon, KDE, LXDE, MATE and XFCE
+desktop managers are supported in this moment
+.RE
+
+This brings us as very close to full desktop integration.
+
+To set it up, run "sudo firecfg" after installing
+Firejail software, and logout/login for the integration to take effect. "sudo firecfg" should also be run after
+you install new programs. If the program is supported by Firejail, the symbolic link in /usr/local/bin
+will be created. For a list of programs supported by default run "ls /etc/firejail".
+
+For user-driven manual integration, see \fBDESKTOP INTEGRATION\fR section in \fBman 1 firejail\fR.
 
 .SH OPTIONS
 .TP
 \fB\-\-clean
 Remove all firejail symbolic links.
 .TP
+\fB\-\-fix-sound
+Create a proper ~/.config/pulse/client.conf file without shm support. On some PulseAudio versions,
+shared memory support (shm) breaks the process ID namespace. PulseAudio software was designed
+a long time ago, and the introduction of PID namespace in Linux kernel breaks their design. This was
+reportedly fixed in PulseAudio version 9. If you have sound problems on your system, run
+"firecfg --fix-sound" command in a terminal, followed by logout/login in order to apply the changes.
+.TP
 \fB\-\-debug
 Print debug messages.
 .TP
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index bc4c3f19a..915a0d50d 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1997,7 +1997,7 @@ $ firejail --tree
       1221:netblue:/usr/lib/firefox/firefox
 .RE
 
-For more information, see \fBman 1 firecfg\fR.
+We provide a tool that automates all this integration, please see \fBman 1 firecfg\fR for more details.
 
 .SH APPARMOR
 .TP